1. Home
  2. Detection Strategies
  3. Detection of Audio Capture

Detection of Audio Capture

Technique Detected:  Audio Capture | T1429

ID: DET0673
Domains: Mobile
Analytics: AN1772, AN1773
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1772

In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.[1]

In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.[2]
Android applications using the RECORD_AUDIO permission and iOS applications using RequestRecordPermission should be carefully reviewed and monitored. If the CAPTURE_AUDIO_OUTPUT permission is found in a third-party Android application, the application should be heavily scrutinized.

In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.

Log Sources
Data Component Name Channel
System Settings (DC0118) User Interface None
Permissions Requests (DC0114) Application Vetting None

AN1773

In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.[1]

In Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.[2]
Android applications using the RECORD_AUDIO permission and iOS applications using RequestRecordPermission should be carefully reviewed and monitored. If the CAPTURE_AUDIO_OUTPUT permission is found in a third-party Android application, the application should be heavily scrutinized.

In both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary.

Log Sources
Data Component Name Channel
System Settings (DC0118) User Interface None
Permissions Requests (DC0114) Application Vetting None

References

  1. ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.
  1. Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.